Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
310
Views
3
Helpful
8
Replies

Client authentication issue with large certificates

schulcz
Level 1
Level 1

‎07-14-2025 04:42 PM

Hi!

We have a strange issue. We use 9800-40 WLCs in HA-SSO deployment model. There is an WLAN network, clients authenticated by an external RADIUS server using certificates. If administrators use small certificate chains, authentication works perfectly. If they use longer chain, packets needs to be fragmented and authentication not works, packets don't arrive to the RADIUS server.

We did some packet capture on the client and saw that if they use the small certificate chain the fragments flag was set to 0. If they use the big certificate chain the fragments flag was set to 1 and the packet didn't reach RADIUS server.

What can be the problem, what should we check? Is that issue can be related to WLC configuration? Maybe related to capwap or MTU configuration?

Using small cert, auth works:

schulcz_3-1752536242081.png

Using large cert, auth not works, packet don't arrive to RADIUS server:

schulcz_2-1752536188179.png

Thanks!

Labels:
0 Helpful
8 Replies 8

marce1000
Hall of Fame
Hall of Fame

‎07-14-2025 11:21 PM

 

 - @schulcz    Review this document : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/222920-understand-radius-mtu-and-fragmentation.html

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World
VIP
VIP

‎07-14-2025 11:44 PM

what is radius you use is it ISE ?
MHM

0 Helpful

Saikat Nandy
Cisco Employee
Cisco Employee

‎07-15-2025 06:17 AM

In addition to what @marce1000 shared, you can have a look into CSCwo58100 as well.

eglinsky2012
Spotlight
Spotlight
In response to Saikat Nandy

‎07-15-2025 07:46 AM - edited ‎07-15-2025 07:58 AM

@Saikat Nandy - Thank you for sharing that bug. It says it's fixed, but no releases are specified. Can you share information about which version(s) it's fixed in? Also does it affect all 17.12.x versions/service packs at least up to 17.12.4 APSP8, and will it affect local mode as well or specifically flex/central auth?

0 Helpful

Saikat Nandy
Cisco Employee
Cisco Employee
In response to eglinsky2012

‎07-15-2025 10:45 AM

Yeah pretty much all the 17.12.x are affected. 17.12.6 where the fix has been added. APSP on top of 17.12.5 is in progress.

eglinsky2012
Spotlight
Spotlight
In response to Saikat Nandy

‎07-15-2025 01:14 PM

@Saikat Nandy Thank you! I forgot to ask, does it only occur in FlexConnect mode with central auth, or will local mode be affected also?

0 Helpful

Saikat Nandy
Cisco Employee
Cisco Employee
In response to eglinsky2012

‎07-16-2025 10:04 AM

Yes..apparently that's what have been observed so far - Flex: central auth+local switching.

0 Helpful

MHM Cisco World
VIP
VIP

‎07-16-2025 02:59 PM

I would to share this doc from Cisco  explain some workaround to deal with fragment of radius frame

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/222920-understand-radius-mtu-and-fragmentation.html

One workaround which I see solution for his issue is using specific source interface to connect to server instead of wmi which is defualt select by wlc.

This interface have mtu 1500 where wmi have less mtu than 1500 and this lead to fragment and drop of frame

Thanks for all

Have a nice day 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card